The first penalty imposed by the President of UODO for failure to comply with the information obligation

The first penalty imposed by the President of the Polish Office for Personal Data Protection (UODO) for violating the provisions of the GDPR raises great controversy, and not only because of its amount reaching nearly PLN 1,000,000 (about EUR 220,000). Entity dealing with sharing data obtained from public registers under the so-called business intelligence was punished due to failure to comply with the information obligation for persons whose personal data was obtained from the business register. The punished company deliberately gave up its obligation to inform because it considered that the exception provided for in Article 14 par. 5 of GDPR. Due to the fact that this entity had only the address of some of the people on the database, providing them with information about data processing by mail would involve a very high cost and organizational effort. Instead, this company posted information about data processing on its website. The case will most likely have its final in court.

Taking into account the restrictive approach of the Polish supervisory body to the issue of fulfilling the information obligation, we provide guidance on its implementation below.

In which situations the data controller should fulfill the information obligation in accordance with art. 14 par. 1 and 2 RODO?
Information obligation, as a rule, must be fulfilled when the personal data we process have not been provided to us directly by the person to whom it relates. This will happen, for example in the case of:
a) obtaining personal data from third parties through:
– recruitment command system;
– the contractor’s indication of the personal data of the employees responsible for a contact,
b) purchasing a database containing personal data,
c) supplementing own database with additional personal data from publicly available systems, e.g. from CEiDG (Central Registration and Information on Business), telephone directories etc.,
d) purchasing receivables due to natural persons,
e) the transition of the workplace or part thereof to another employer.

Attention! The information obligation does not apply to those entities that process personal data obtained in this way as processors – at the request of the data controller (unless otherwise agreed in the contract for entrusting the processing of personal data concluded by parties).

What information should be provided to data subjects?
In addition to basic information about the data controller, purposes and attitudes of processing and rights related to data processing, it is necessary to inform what categories of data are processed and from what source they were obtained, including whether they come from public registers (e.g. CEiDG, GUS- General Statistical Authority).

At what time should the information obligation be fulfilled?
The transfer of information about the processing of personal data should take place within a reasonable time, not longer than one month from the moment of obtaining them. If the administrator obtained personal data in order to contact the data subject or to disclose it to third parties, information about the processing of personal data should be provided no later than during these activities.

Is it possible to abandon the obligation to provide information due to the high costs or organizational difficulties associated with it?
On the basis of the GDPR, derogations from the obligation to fulfill the information obligation specified in art. 14 par. 1 and 2 of the GDPR are possible, for instance due to the disproportionately high level of burden on the data controller or impossibility to provide information. In the light of the decision of the President of the UODO, however, extreme caution is recommended and the use of these exemptions should be exceptional. It is worth investigating beforehand how the lack of information will affect the possibility of implementing the rights related to the processing of personal data by data subjects such as the right to information, to correct data or to object to the processing.